Security and Compliance Weekly (audio)
It’s the show, that bridges the requirements of regulations, compliance, and privacy with those of security. Your trusted source for complying with various mandates, building effective programs, and current compliance news. It’s time for Security and Compliance Weekly.
info_outline
Becoming the Avengers - SCW #99
12/23/2021
Becoming the Avengers - SCW #99
Author of "Why CISOs Fail" is joining us today to tell us about the success of his first book as well as introduce us to his forthcoming book, "Security Hippie. Barak is best known for pioneering the concept of the virtual (or fractional) CISO model nearly two decades ago. Over the twenty years since then he has applied that model and strategy to building, managing and counseling security departments across countless and diverse organizations, including MuleSoft, Amplitude Analytics, Livenation/Ticketmaster, StubHub, Barnes and Noble, bebe Stores and many others. The goal of his new book is to convey security concepts in the form of telling stories, so we hope to hear a few examples from him during the course of the interview. Show Notes: To leave a heartfelt message for Hannah (Jeff's granddaughter): Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/21577784
info_outline
Under the Bus - SCW #98
12/16/2021
Under the Bus - SCW #98
Ben Carr will lead us in a discussion about the origins of the role of CISO, roles/responsibilities, and what it's like to be a CISO. We'll touch on qualifications, organizational structure, its place in security and compliance, what it's like to be hero or scapegoat. All this and more! Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/21500240
info_outline
Too Authentic - SCW #97
12/02/2021
Too Authentic - SCW #97
There’s something happening here – and what it is ain’t exactly clear to O.G hackers like John Threat or our own Mr. Jeff Man. We’re going to devote an episode talking about how things used to be back in the day from a hacker/penetration perspective and discuss how things are today. Are things better? Worse? Depends on your attack vector, perhaps? Join us on Discord and participate in the discussion of what’s right and what’s wrong in our industry today and what can we do about it. All from a hacker’s perspective. Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/21349511
info_outline
A Good Mission - SCW #96
11/24/2021
A Good Mission - SCW #96
In the early days of PCI there was an online column called StorefrontBacktalk which focused on retail and technology issues. The column provided valuable insights from various specialists on the interpretation and application of many of the more challenging security requirements found in PCI DSS which was reflected in its tag line, “Techniques, Tools and Tirade about Retail Technology and E-Commerce. The founder of the column, Evan Schuman, is a veteran journalist who has covered a wide range of technology, privacy and legal issues over the past three decades. Evan will give us his take on many of the issues facing the connected world -past, present, and future. Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/21275879
info_outline
Massive Damage - SCW #95
11/18/2021
Massive Damage - SCW #95
CISA recently published guidance for how managed service providers (MSPs) should approach security for their operations based on the premise that cyber threat actors are known to target MSPs to reach their customers. MSPs provide remote management of customer IT and end-user systems and generally have direct access to their customers’ networks and data. By exploiting trust relationships in MSP networks, cyber threat actors can gain access to a large number of the victim MSP customers. The CISA Insights publication provides mitigation and hardening guidance for MSPs and their small- and mid-size business customers. By applying this guidance, organizations can protect MSP customer network assets and reduce the risk of successful cyberattacks. Our conversation today will focus on the problems that MSPs and SMBs face in achieving the right level of security for their organizations, satisfy compliance and regulatory requirements, while trying to stay in business. Show Notes: Segment Resources: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/21199985
info_outline
A Good Crisis - SCW #94
11/11/2021
A Good Crisis - SCW #94
Join us on this episode of SCW for a general discussion about how to do this whole security/compliance thing better; how compliance really needs to come first; how it's all risk-based or should be RGC not GRC; legal and privacy issues/focus - and how they help or hinder the cause; other factors like burnout/gatekeeping/etc. that all contribute to our industry being overly focused/reliant on technology and don't handle the people/process part very well. Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/21121949
info_outline
Diversity & Equality - SCW #93
11/04/2021
Diversity & Equality - SCW #93
With cybersecurity skills already in short supply, the prospect of losing what little workforce there is to pull from to resignations (especially in the context of the ‘Great Resignation’), is a disturbing one. Rick McElroy will speak to the causes of security burnout and the steps organizations need to take to prevent the loss of the precious resource that is security talent. He will share supporting research findings from VMware's latest Global Incident Response Threat Report: Manipulating Reality. Show Notes: Segment Resources: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/21044996
info_outline
Overly Prescriptive - SCW #92
10/28/2021
Overly Prescriptive - SCW #92
Tony and Thomas will discuss the importance, value, and challenge of cross-mapping security frameworks, and the rationale and process used by CIS to create end support mapping, and some real-world examples and some real-life problems. Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/20965850
info_outline
Different Directions - SCW #91
10/22/2021
Different Directions - SCW #91
We’re getting closer to the Q1 2022 release of PCI DSS 4.0, which is expected to differ from the current PCI DSS 3.2.1 version in a few key ways. This includes giving organizations more options in how they become compliant, along with customized implementation. In this podcast, Chris Pin, VP of Privacy and Compliance at PKWARE, will discuss what customized implementation means for organizations, additional changes to 4.0, and why they’re important. And, while PCI 3.2.1 won’t be retired until 2024, it’s a good idea for companies to get started now with their 4.0 compliance strategy. After all, the road to compliance could be a long one, and 2025 will be here before we know it! Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/20899721
info_outline
This Is Fascinating - SCW #90
10/14/2021
This Is Fascinating - SCW #90
Tune in for this discussion on social engineering and its merits on being recognized as a legitimate component of cyber security. We'll also dive into the whole notion of motive and intent as it pertains to deliberately misrepresenting yourself, or simply lying to your customer in order to get them to be more secure. Show Notes: Segment Resources: The Aspies Guide to Social Engineering: from DEF CON 27 Social Engineering Village: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/20796131
info_outline
Providing the Assurance - SCW #89
10/07/2021
Providing the Assurance - SCW #89
This week we're talking all things ISO27001 with Wim Remes! We're starting with what it is, the who, what, where, when, why etc. then we'll talk about the bad and the good. Tune in for this special listener requested topic! Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/20731847
info_outline
Little Bugs - SCW #88
09/30/2021
Little Bugs - SCW #88
This week, we welcome Casey Ellis, Founder/Chair/CTO at Bugcrowd, to talk about Compliance and “The Crowd”! Crowdsourcing and multi-sourcing focus on risk identification and reduction, and they seem to be effective... but my auditor doesn't understand what it is yet - Will it meet the requirements of security compliance standards? Jeff and Casey will dig into the hits and misses of plugging novel assurance approaches into established markets. Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/20645954
info_outline
Blinky Lights - SCW #87
09/23/2021
Blinky Lights - SCW #87
This week, we welcome Johanna Baum, CEO, Founder at Strategic Security Solutions, to talk about Activism v. Hacktivism! "Hacktivism" is a controversial term with several meanings. The word was coined to characterize electronic direct action as working toward social change by combining programming skills with critical thinking. But just as hack can sometimes mean cyber crime, hacktivism can be used to mean activism that is malicious, destructive, and undermining the security of the Internet as a technical, economic, and political platform. Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/20568983
info_outline
Chocolate Bar Bounty - SCW #86
09/16/2021
Chocolate Bar Bounty - SCW #86
This week, we welcome Jim Henderson, Insider Threat Mitigation Training Course Instructor & Consultant at Insider Threat Defense Group, Inc., to discuss Insider Threats Overview - Going Beyond The Norm! Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/20487455
info_outline
We Love Your Dog - SCW #85
09/01/2021
We Love Your Dog - SCW #85
This week, we welcome Christopher Bulin, Founder & CEO at Proven PCI, to talk about The Truth Behind the Payments! SMB needs to understand the importance of being PCI compliant and that just because the verbiage on a website says the vendor is compliant, doesn't make the merchant compliant. Just because it says it from a service provider standpoint, asking for a copy of their AOC is critical. If your merchant service provider is guiding you through the SAQ, or telling you to just check yes or no, they are coercing you into falsifying documents which is a breach of your agreement. Show Notes: Segment Resources: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/20325803
info_outline
Homework - SCW #84
08/25/2021
Homework - SCW #84
This week, we welcome Tim Callahan, SVP, Global CISO at Aflac, to talk about From Compliance to Resiliency: The Evolution of InfoSec! Because only maintaining compliance is not enough to protect your business from the ever-evolving threat landscape, in this session, we will consider the intersection and codependence of compliance with security, maturity, defensibility and resiliency. An effective and maturing program must also align to a Control Framework so that you can measure its effectiveness and ensure appropriate decisions are made that enable business requirements and protect the security, integrity, and availability of information and technology. All of this must happen through the lens of defensibility which is an essential consideration when making risk decisions. And finally, we will look at what makes a business cyber-resilient. The cyber-strong resilient company has the ability to quickly adapt to disruptions while maintaining continuous business operations, and safeguarding people, assets, and overall brand equity. Show Notes: To find out more and register with your Security Weekly discount code, visit: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/20248925
info_outline
Exception to the Rule - SCW #83
08/19/2021
Exception to the Rule - SCW #83
This week, we welcome Naomi Buckwalter, Founder & Executive Director at Cybersecurity Gatebreakers Foundation, to discuss Gatekeeping in Cybersecurity! The “cybersecurity skills gap” is a myth. There is no skills gap. There are tens of thousands of amazing, highly intelligent, passionate people around the world looking to break into cybersecurity, but they never get the chance. Hiring managers and gatekeepers are simply unwilling to train and mentor the next generation of cybersecurity professionals, and this hurts our profession immensely. We’re fighting an asymmetric war, in which one bad actor can attack multiple companies and industries. We simply don’t have enough defenders and good guys in the trenches, and we need more fighters. The more fighters we have, the better chance we have at winning. Show Notes: Segment Resources: Visit for all the latest episodes! Follow us on Twitter: Follow us on Facebook:
/episode/index/show/scwaudio/id/20187569
info_outline
Time Lord - SCW #82
08/12/2021
Time Lord - SCW #82
This week, we welcome Matthew Erickson, Vice President of Solutions at SpiderOak Mission Systems, to discuss Protecting Comm. & Collaboration in Contested Environments! Protecting digital communication and collaboration is critical to both our military and private sector industries in driving mission success. Our ability to secure the local and remote systems we rely on to share and operationalize sensitive and confidential information to and from even the most remote location is vital to national security and our economy. Unfortunately, our adversaries know this and are dedicated to infiltrating, exfiltrating, and disrupting this flow of information. Show Notes: Visit to learn more about them! Visit for all the latest episodes! Follow us on Twitter: Follow us on Facebook:
/episode/index/show/scwaudio/id/20113496
info_outline
Ancient Court - SCW #81
07/29/2021
Ancient Court - SCW #81
Priya Chaudhry joins us today as co-host and we are eager to catch up with her and get her legal perspective on recent litigations and proposed legislation that impacts our world of security and compliance. Hear ye, Hear ye! The court is now in session. Show Notes: Visit for all the latest episodes! Follow us on Twitter: Follow us on Facebook:
/episode/index/show/scwaudio/id/19961696
info_outline
Constantly Frustrated - SCW #80
07/23/2021
Constantly Frustrated - SCW #80
This week, we welcome Joseph Kirkpatrick, President at KirkpatrickPrice, to talk about Your Security Is ALWAYS in Scope! Our client was using a hosted service to perform remote monitoring and management and resisted its inclusion in the audit scope. The vendor's external scans revealed critical vulnerabilities. Prior to a highly-publicized breach, the vendor said no auditor had ever included their service in the scope of their audits. We will explore attitudes that keep critical security controls out of scope. Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/19902518
info_outline
Tell the Truth - SCW #79
07/15/2021
Tell the Truth - SCW #79
We'll start with a brief discussion of what HIPAA and is not (e.g., it's doesn't prevent your employer from ask you about your health). Then discuss recent developments like ongoing how ransomware attacks are targeting healthcare and, when successful, are reportable breaches; and the recent final rule on interoperability and information blocking that went into effect on April 5th. Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/19813214
info_outline
Greased Lightning - SCW #78
06/30/2021
Greased Lightning - SCW #78
This week, we welcome Steve Lenderman, Director, Strategic Fraud Prevention at ADP, to discuss CARES Act Fraud, Paying People & Fraudsters! We will review how synthetics are being utilized to perpetrate pandemic related frauds in the Payroll Protection Program and Unemployment Insurance. An overview of the government programs will take place with the controls that were in place, how they were compromised, by who and what you can do to remediate risk. Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/19663454
info_outline
Hesitation About the Test - SCW #77
06/24/2021
Hesitation About the Test - SCW #77
Join Dr. Casey Marks for a two-part discussion of the merits of cybersecurity certification and learn whether and how it provides training or proves experience or both, the pros and cons, how to start or approach getting certified, and more! Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook: Show Notes:
/episode/index/show/scwaudio/id/19585217
info_outline
Help Heal - SCW #76
06/17/2021
Help Heal - SCW #76
Join this segment with Danny Akacki to learn about educating both practitioners and executives on security topics of the day and helping to build community initiatives like trust groups and community groups like local DEF CON chapters. Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/19503374
info_outline
That's Nonsense - SCW #75
06/09/2021
That's Nonsense - SCW #75
This week, we welcome Doug Landoll, CEO at Lantego, to talk about CMMC Program and the DIB Preparation! Doing business with the Federal government has always had its share of requirements and regulations, especially when it comes to storing, processing, or transmitting any sensitive data. In fact, organizations doing business with the Federal government involving sensitive data are well acquainted with the cybersecurity controls they must implement based on controls from well-known frameworks such as the National Institute of Standards and Technology (NIST) Special Publication 800-53 (NIST SP 800-53) and NIST SP 800-171. However, in the last several years these controls (and the method by which organizations must demonstrate compliance have drastically changed, culminating in the Cybersecurity Maturity Model Certification (CMMC) Framework. Show Notes: Segment Resources: Official DoD Acquisition Site for CMMC Program Info: Official Site of the CMMC Program: Official NIST Site for publications such as 800-53, 800-171: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/19416533
info_outline
Birthday Wishes - SCW #74
05/27/2021
Birthday Wishes - SCW #74
This week, we welcome Allan Friedman, Director of Cybersecurity Initiatives at NTIA, to discuss SBOM! What is SBOM? Who needs to think about this? Is this required today, and what might the future of compliance look like? What is in the recent EO? Show Notes: Segment Resources: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/19253726
info_outline
Digital Bread Crumbs - SCW #73
05/13/2021
Digital Bread Crumbs - SCW #73
A flurry of legislative and legal activity is re-shaping the way privacy and cybersecurity professionals conduct business. As a result, in addition to actually carrying out their protection responsibilities, professionals charged with protecting private and confidential data must be also be constantly aware of these evolving regulatory and legal obligations. Show Notes: Segment Resources: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/19084148
info_outline
Enforcement Body - SCW #72
05/06/2021
Enforcement Body - SCW #72
Just last month, Virginia became the second state in the U.S. to pass a privacy law – the Consumer Data Protection Act (CDPA). While this doesn’t take effect until 2023, it’s important for businesses to understand what it means for them and start preparing for data security compliance now. Chris Pin, VP of Security and Privacy at PKWARE, will be discussing: • How Virginia’s law differs from CCPA and GDPR and the key points companies need to know • Where and how companies may need to enhance their data privacy policies and processes, and specifically how it’s imperative to know the five W’s of data: Who, What, Why, When, Where and one H, How • How companies should begin incorporating data discovery, data classification, data minimization, records of data processing activities, and data protection assessments as part of their everyday processes and controls, if they haven’t already • Real life situations that businesses could find themselves in Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/19009220
info_outline
Boil the Ocean - SCW #71
04/28/2021
Boil the Ocean - SCW #71
Richard Struse, Director of The Center for Threat-Informed Defense from MITRE Engenuity joins the SCW crew for a two part interview! -What is threat-informed defense and how does it relate to other aspects of cybersecurity? -The importance of ATT&CK as a lens through which you can view your security posture. -Center for Threat-Informed Defense R&D products aimed at helping defenders better assess the efficacy of the controls they have in place. Show Notes: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/18895799
info_outline
The Other Guy - SCW #70
04/22/2021
The Other Guy - SCW #70
This week, we welcome Chris Hughes, Principal Cybersecurity Engineer at Rise8, to talk about Compliance Innovations in the Cloud. Cloud has and continues to disrupt many traditional business processes, activities and IT paradigms. Compliance will also be revolutionized by cloud computing. In this session we will dive into many of the headaches and pain points traditionally associated with compliance, explaining how leveraging cloud can improve both compliance and security. Show Notes: Segment Resources: Visit for all the latest episodes! Follow us on Twitter: Like us on Facebook:
/episode/index/show/scwaudio/id/18814121